Internet Storm Center
Sign In
Sign Up
Handler on Duty:
Didier Stevens
Threat Level:
green
Date
Author
Title
2024-09-25
Johannes Ullrich
DNS Reflection Update and Odd Corrupted DNS Requests
2024-08-26
Xavier Mertens
From Highly Obfuscated Batch File to XWorm and Redline
2024-06-20
Guy Bruneau
No Excuses, Free Tools to Help Secure Authentication in Ubuntu Linux [Guest Diary]
2024-06-13
Guy Bruneau
The Art of JQ and Command-line Fu [Guest Diary]
2024-03-28
Xavier Mertens
From JavaScript to AsyncRAT
2024-03-13
Xavier Mertens
Using ChatGPT to Deobfuscate Malicious Scripts
2024-02-20
Xavier Mertens
Python InfoStealer With Dynamic Sandbox Detection
2024-02-09
Xavier Mertens
MSIX With Heavily Obfuscated PowerShell Script
2024-01-26
Xavier Mertens
A Batch File With Multiple Payloads
2024-01-12
Xavier Mertens
One File, Two Payloads
2024-01-02
Johannes Ullrich
Fingerprinting SSH Identification Strings
2023-09-30
Xavier Mertens
Simple Netcat Backdoor in Python Script
2023-07-06
Jesse La Grew
IDS Comparisons with DShield Honeypot Data
2023-06-16
Xavier Mertens
Another RAT Delivered Through VBS
2023-06-09
Xavier Mertens
Undetected PowerShell Backdoor Disguised as a Profile File
2023-05-26
Xavier Mertens
Using DFIR Techniques To Recover From Infrastructure Outages
2023-05-17
Xavier Mertens
Increase in Malicious RAR SFX files
2023-03-30
Xavier Mertens
Bypassing PowerShell Strong Obfuscation
2023-03-21
Didier Stevens
String Obfuscation: Character Pair Reversal
2023-03-18
Xavier Mertens
Old Backdoor, New Obfuscation
2023-02-10
Xavier Mertens
Obfuscated Deactivation of Script Block Logging
2023-02-04
Guy Bruneau
Assemblyline as a Malware Analysis Sandbox
2023-02-01
Didier Stevens
Detecting (Malicious) OneNote Files
2023-01-25
Xavier Mertens
A First Malicious OneNote Document
2022-12-29
Jesse La Grew
Opening the Door for a Knock: Creating a Custom DShield Listener
2022-11-05
Guy Bruneau
Windows Malware with VHD Extension
2022-11-04
Xavier Mertens
Remcos Downloader with Unicode Obfuscation
2022-10-18
Xavier Mertens
Python Obfuscation for Dummies
2022-07-20
Johannes Ullrich
Apple Patches Everything Day
2022-07-06
Johannes Ullrich
How Many SANs are Insane?
2022-06-24
Xavier Mertens
Python (ab)using The Windows GUI
2022-06-19
Didier Stevens
Video: Decoding Obfuscated BASE64 Statistically
2022-06-18
Didier Stevens
Decoding Obfuscated BASE64 Statistically
2022-06-16
Xavier Mertens
Houdini is Back Delivered Through a JavaScript Dropper
2022-06-01
Jan Kopriva
HTML phishing attachments - now with anti-analysis features
2022-05-09
Xavier Mertens
Octopus Backdoor is Back with a New Embedded Obfuscated Bat File
2022-05-07
Guy Bruneau
Phishing PDF Received in my ISC Mailbox
2022-02-01
Xavier Mertens
Automation is Nice But Don't Replace Your Knowledge
2021-11-18
Xavier Mertens
JavaScript Downloader Delivers Agent Tesla Trojan
2021-11-14
Didier Stevens
Video: Obfuscated Maldoc: Reversed BASE64
2021-11-08
Xavier Mertens
(Ab)Using Security Tools & Controls for the Bad
2021-10-18
Xavier Mertens
Malicious PowerShell Using Client Certificate Authentication
2021-09-22
Didier Stevens
An XML-Obfuscated Office Document (CVE-2021-40444)
2021-07-31
Guy Bruneau
Unsolicited DNS Queries
2021-06-24
Xavier Mertens
Do you Like Cookies? Some are for sale!
2021-06-04
Xavier Mertens
Russian Dolls VBS Obfuscation
2021-05-08
Guy Bruneau
Who is Probing the Internet for Research Purposes?
2021-04-10
Guy Bruneau
Building an IDS Sensor with Suricata & Zeek with Logs to ELK
2021-02-26
Guy Bruneau
Pretending to be an Outlook Version Update
2021-01-04
Jan Kopriva
From a small BAT file to Mass Logger infostealer
2020-12-06
Didier Stevens
oledump's Indicators (video)
2020-12-05
Guy Bruneau
Is IP 91.199.118.137 testing Access to aahwwx.52host.xyz?
2020-12-04
Guy Bruneau
Detecting Actors Activity with Threat Intel
2020-11-19
Xavier Mertens
PowerShell Dropper Delivering Formbook
2020-11-13
Xavier Mertens
Old Worm But New Obfuscation Technique
2020-11-05
Xavier Mertens
Did You Spot "Invoke-Expression"?
2020-10-30
Xavier Mertens
Quick Status of the CAA DNS Record Adoption
2020-10-24
Guy Bruneau
An Alternative to Shodan, Censys with User-Agent CensysInspect/1.1
2020-10-14
Xavier Mertens
Nicely Obfuscated Python RAT
2020-09-20
Guy Bruneau
Analysis of a Salesforce Phishing Emails
2020-09-04
Jan Kopriva
A blast from the past - XXEncoded VB6.0 Trojan
2020-08-19
Xavier Mertens
Example of Word Document Delivering Qakbot
2020-08-16
Didier Stevens
Small Challenge: A Simple Word Maldoc - Part 3
2020-08-08
Guy Bruneau
Scanning Activity Include Netcat Listener
2020-07-24
Xavier Mertens
Compromized Desktop Applications by Web Technologies
2020-07-19
Guy Bruneau
Scanning Activity for ZeroShell Unauthenticated Access
2020-07-08
Xavier Mertens
If You Want Something Done Right, You Have To Do It Yourself... Malware Too!
2020-06-08
Didier Stevens
Translating BASE64 Obfuscated Scripts
2020-04-27
Xavier Mertens
Powershell Payload Stored in a PSCredential Object
2020-04-24
Xavier Mertens
Malicious Excel With a Strong Obfuscation and Sandbox Evasion
2020-04-10
Xavier Mertens
PowerShell Sample Extracting Payload From SSL
2020-04-03
Xavier Mertens
Obfuscated with a Simple 0x0A
2020-02-22
Xavier Mertens
Simple but Efficient VBScript Obfuscation
2020-02-07
Xavier Mertens
Sandbox Detection Tricks & Nice Obfuscation in a Single VBScript
2020-01-23
Xavier Mertens
Complex Obfuscation VS Simple Trick
2020-01-15
Johannes Ullrich
CVE-2020-0601 Followup
2019-11-22
Xavier Mertens
Abusing Web Filters Misconfiguration for Reconnaissance
2019-10-18
Xavier Mertens
Quick Malicious VBS Analysis
2019-08-09
Xavier Mertens
100% JavaScript Phishing Page
2019-07-11
Xavier Mertens
Russian Dolls Malicious Script Delivering Ursnif
2019-07-02
Xavier Mertens
Malicious Script With Multiple Payloads
2019-06-20
Xavier Mertens
Using a Travel Packing App for Infosec Purpose
2019-06-10
Xavier Mertens
Interesting JavaScript Obfuscation Example
2019-05-31
Didier Stevens
Retrieving Second Stage Payload with Ncat
2019-01-12
Guy Bruneau
Snorpy a Web Base Tool to Build Snort/Suricata Rules
2018-12-31
Didier Stevens
Software Crashes: A New Year's Resolution
2018-12-29
Didier Stevens
Video: De-DOSfuscation Example
2018-12-15
Didier Stevens
De-DOSfuscation Example
2018-12-12
Didier Stevens
Yet Another DOSfuscation Sample
2018-11-27
Xavier Mertens
More obfuscated shell scripts: Fake MacOS Flash update
2018-11-26
Xavier Mertens
Obfuscated bash script targeting QNap boxes
2018-11-16
Xavier Mertens
Basic Obfuscation With Permissive Languages
2018-11-14
Brad Duncan
Day in the life of a researcher: Finding a wave of Trickbot malspam
2018-11-06
Xavier Mertens
Malicious Powershell Script Dissection
2018-10-23
Xavier Mertens
Diving into Malicious AutoIT Code
2018-10-08
Guy Bruneau
Latest Release of rockNSM 2.1
2018-09-30
Didier Stevens
When DOSfuscation Helps...
2018-09-19
Rob VandenBrink
Certificates Revisited - SSL VPN Certificates 2 Ways
2018-09-18
Rob VandenBrink
Using Certificate Transparency as an Attack / Defense Tool
2018-09-05
Rob VandenBrink
Where have all my Certificates gone? (And when do they expire?)
2018-07-30
Didier Stevens
Malicious Word documents using DOSfuscation
2018-07-26
Xavier Mertens
Windows Batch File Deobfuscation
2018-07-03
Didier Stevens
Progress indication for scripts on Windows
2018-06-18
Xavier Mertens
Malicious JavaScript Targeting Mobile Browsers
2018-05-25
Xavier Mertens
Antivirus Evasion? Easy as 1,2,3
2018-04-30
Remco Verhoef
Another approach to webapplication fingerprinting
2018-03-11
Guy Bruneau
rockNSM Configuration & Installation Steps http://handlers.sans.org/gbruneau/rockNSM%20as%20an%20Incident%20Response%20Package.htm
2017-11-23
Xavier Mertens
Proactive Malicious Domain Search
2017-11-11
Xavier Mertens
Keep An Eye on your Root Certificates
2017-11-03
Xavier Mertens
Simple Analysis of an Obfuscated JAR File
2017-10-27
Renato Marinho
"Catch-All" Google Chrome Malicious Extension Steals All Posted Data
2017-09-30
Lorna Hutcheson
Who's Borrowing your Resources?
2017-09-17
Guy Bruneau
rockNSM as a Incident Response Package
2017-07-08
Xavier Mertens
A VBScript with Obfuscated Base64 Data
2017-06-22
Xavier Mertens
Obfuscating without XOR
2017-04-28
Xavier Mertens
Another Day, Another Obfuscation Technique
2017-04-21
Xavier Mertens
Analysis of a Maldoc with Multiple Layers of Obfuscation
2017-04-19
Xavier Mertens
Hunting for Malicious Excel Sheets
2017-03-30
Xavier Mertens
Diverting built-in features for the bad
2017-03-25
Russell Eubanks
Distraction as a Service
2017-03-24
Xavier Mertens
Nicely Obfuscated JavaScript Sample
2017-03-18
Xavier Mertens
Example of Multiple Stages Dropper
2017-02-28
Xavier Mertens
Analysis of a Simple PHP Backdoor
2017-02-12
Xavier Mertens
Analysis of a Suspicious Piece of JavaScript
2017-01-26
Xavier Mertens
IOC's: Risks of False Positive Alerts Flood Ahead
2016-09-15
Xavier Mertens
In Need of a OTP Manager Soon?
2016-08-29
Russ McRee
Recommended Reading: Intrusion Detection Using Indicators of Compromise Based on Best Practices and Windows Event Logs
2016-08-28
Guy Bruneau
Spam with Obfuscated Javascript
2016-08-22
Russ McRee
Red Team Tools Updates: hashcat and SpiderFoot
2016-08-19
Xavier Mertens
Data Classification For the Masses
2016-06-22
Bojan Zdrnja
Security through obscurity never works
2016-06-03
Tom Liston
MySQL is YourSQL
2016-02-20
Didier Stevens
Locky: JavaScript Deobfuscation
2016-02-11
Tom Webb
Tomcat IR with XOR.DDoS
2016-02-07
Xavier Mertens
More Malicious JavaScript Obfuscation
2016-01-29
Xavier Mertens
Scripting Web Categorization
2016-01-25
Rob VandenBrink
Assessing Remote Certificates with Powershell
2016-01-15
Xavier Mertens
JavaScript Deobfuscation Tool
2015-04-08
Tom Webb
Is it a breach or not?
2015-03-26
Daniel Wesemann
Pin-up on your Smartphone!
2015-02-27
Rick Wanner
Let's Encrypt!
2015-02-17
Rob VandenBrink
oclHashcat 1.33 Released
2014-09-19
Guy Bruneau
Added today in oclhashcat 131 Django [Default Auth] (PBKDF2 SHA256 Rounds Salt) Support - http://hashcat.net/hashcat/
2014-08-25
Jim Clausing
Unusual CRL traffic?
2014-08-09
Adrien de Beaupre
Complete application ownage via Multi-POST XSRF
2014-06-28
Mark Hofman
No more Microsoft advisory email notifications?
2014-03-13
Daniel Wesemann
Identification and authentication are hard ... finding out intention is even harder
2014-02-26
Russ McRee
Ongoing NTP Amplification Attacks
2014-01-17
Russ McRee
Massive RFI scans likely a free web app vuln scanner rather than bots
2013-12-20
Daniel Wesemann
authorized key lime pie
2013-12-10
Rob VandenBrink
Those Look Just Like Hashes!
2013-10-05
Richard Porter
Adobe Breach Notification, Notifications?
2013-09-18
Rob VandenBrink
Cisco DCNM Update Released
2013-09-05
Rob VandenBrink
Building Your Own GPU Enabled Private Cloud
2013-09-03
Rob VandenBrink
Is "Reputation Backscatter" a Thing?
2013-08-13
Swa Frantzen
Microsoft security advisories: RDP and MD5 deprecation in Microsoft root certificates
2013-07-27
Scott Fendley
Defending Against Web Server Denial of Service Attacks
2013-05-17
Johannes Ullrich
SSL: Another reason not to ignore IPv6
2013-05-11
Lenny Zeltser
Extracting Digital Signatures from Signed Malware
2013-04-15
Rob VandenBrink
Oops - You Mean That Deleted Server was a Certificate Authority?
2013-04-04
Johannes Ullrich
Microsoft April Patch Tuesday Advance Notification
2013-03-29
Chris Mohan
Does your breach email notification look like a phish?
2013-03-23
Guy Bruneau
Apple ID Two-step Verification Now Available in some Countries
2013-03-06
Adam Swanger
IPv6 Focus Month: Guest Diary: Stephen Groat - Geolocation Using IPv6 Addresses
2013-02-08
Kevin Shortt
Is it Spam or Is it Malware?
2013-01-25
Johannes Ullrich
Vulnerability Scans via Search Engines (Request for Logs)
2013-01-03
Manuel Humberto Santander Pelaez
New year and new CA compromised
2012-12-18
Dan Goldberg
Mitigating the impact of organizational change: a risk assessment
2012-12-03
John Bambenek
John McAfee Exposes His Location in Photo About His Being on Run
2012-07-18
Rob VandenBrink
Vote NO to Weak Keys!
2012-07-14
Tony Carothers
User Awareness and Education
2012-07-05
Adrien de Beaupre
Microsoft advanced notification for July 2012 patch Tuesday
2012-06-25
Guy Bruneau
Using JSDetox to Analyze and Deobfuscate Javascript
2012-06-13
Johannes Ullrich
Microsoft Certificate Updater
2012-05-22
Johannes Ullrich
nmap 6 released
2012-02-08
Jim Clausing
Chrome to stop checking Certificate Revocation List (CRL)?
2012-01-03
Bojan Zdrnja
The tale of obfuscated JavaScript continues
2011-12-08
Adrien de Beaupre
Microsoft Security Bulletin Advance Notification for December 2011
2011-11-01
Russ McRee
Secure languages & frameworks
2011-09-19
Guy Bruneau
MS Security Advisory Update - Fraudulent DigiNotar Certificates
2011-09-09
Guy Bruneau
Apple Certificate Trust Policy Update
2011-09-09
Guy Bruneau
Adobe Publish its List of Trusted Root Certificate - http://www.adobe.com/security/approved-trust-list.html
2011-09-08
Rob VandenBrink
When Good CA's go Bad: Other Things to Check in Your Datacenter
2011-08-16
Johannes Ullrich
What are the most dangerous web applications and how to secure them?
2011-08-14
Guy Bruneau
FireCAT 2.0 Released
2011-07-29
Richard Porter
Apple Lion talking on TCP 5223
2011-07-28
Johannes Ullrich
Announcing: The "404 Project"
2011-07-05
Raul Siles
Helping Developers Understand Security - Spot the Vuln
2011-06-21
Chris Mohan
StartSSL, a web authentication authority, suspend services after a security breach
2011-05-18
Bojan Zdrnja
Android, HTTP and authentication tokens
2011-04-28
Chris Mohan
DSL Reports advise 9,000 accounts were compromised
2011-04-22
Manuel Humberto Santander Pelaez
In-house developed applications: The constant headache for the information security officer
2011-04-03
Richard Porter
Extreme Disclosure? Not yet but a great trend!
2011-02-04
Daniel Wesemann
Oh, just click "yes"
2010-12-25
Manuel Humberto Santander Pelaez
An interesting vulnerability playground to learn application vulnerabilities
2010-12-12
Raul Siles
New trend regarding web application vulnerabilities?
2010-09-21
Johannes Ullrich
Implementing two Factor Authentication on the Cheap
2010-08-16
Raul Siles
Blind Elephant: A New Web Application Fingerprinting Tool
2010-08-15
Manuel Humberto Santander Pelaez
Obfuscated SQL Injection attacks
2010-08-15
Manuel Humberto Santander Pelaez
Python to test web application security
2010-07-02
Johannes Ullrich
OISF released version 1.0.0 of Suricata, the open source IDS/IPS engine http://www.openinfosecfoundation.org
2010-06-26
Guy Bruneau
socat to Simulate a Website
2010-06-14
Manuel Humberto Santander Pelaez
Another way to get protection for application-level attacks
2010-06-14
Manuel Humberto Santander Pelaez
Rogue facebook application acting like a worm
2010-04-13
Adrien de Beaupre
Web App Testing Tools
2010-04-08
Bojan Zdrnja
JavaScript obfuscation in PDF: Sky is the limit
2010-04-06
Daniel Wesemann
Application Logs
2010-03-21
Scott Fendley
Skipfish - Web Application Security Tool
2010-03-10
Rob VandenBrink
Microsoft re-release of KB973811 - attacks on Extended Protection for Authentication
2010-03-08
Raul Siles
Samurai WTF 0.8
2010-03-05
Kyle Haugsness
Javascript obfuscators used in the wild
2010-02-20
Mari Nichols
Is "Green IT" Defeating Security?
2010-01-29
Adrien de Beaupre
Neo-legacy applications
2010-01-24
Pedro Bueno
Outdated client applications
2009-12-19
Deborah Hale
Educationing Our Communities
2009-11-13
Deborah Hale
It's Never Too Early To Start Teaching Them
2009-10-20
Raul Siles
WASC 2008 Statistics
2009-10-09
Rob VandenBrink
THAWTE to discontinue free Email Certificate Services and Web of Trust Service
2009-09-16
Raul Siles
Review the security controls of your Web Applications... all them!
2009-08-28
Adrien de Beaupre
WPA with TKIP done
2009-07-23
John Bambenek
Missouri Passes Breach Notification Law: Gap Still Exists for Banking Account Information
2009-06-30
Chris Carboni
Obfuscated Code
2009-06-30
Chris Carboni
De-Obfuscation Submissions
2009-05-26
Jason Lam
A new Web application security blog
2009-05-20
Tom Liston
Web Toolz
2009-04-24
John Bambenek
Data Leak Prevention: Proactive Security Requirements of Breach Notification Laws
2009-04-21
Bojan Zdrnja
Web application vulnerabilities
2009-04-07
Bojan Zdrnja
Advanced JavaScript obfuscation (or why signature scanning is a failure)
2009-03-02
Swa Frantzen
Obama's leaked chopper blueprints: anything we can learn?
2009-01-12
William Salusky
Web Application Firewalls (WAF) - Have you deployed WAF technology?
2009-01-02
Mark Hofman
Blocking access to MD5 signed certs
2008-11-20
Jason Lam
Large quantity SQL Injection mitigation
2008-09-07
Daniel Wesemann
Staying current, but not too current
2008-09-03
Daniel Wesemann
Static analysis of Shellcode - Part 2
2008-08-03
Deborah Hale
Securing A Network - Lessons Learned
2008-07-14
Daniel Wesemann
Obfuscated JavaScript Redux
2008-04-06
Daniel Wesemann
Advanced obfuscated JavaScript analysis
2008-04-03
Bojan Zdrnja
Mixed (VBScript and JavaScript) obfuscation
Homepage
Diaries
Podcasts
Jobs
Data
TCP/UDP Port Activity
Port Trends
SSH/Telnet Scanning Activity
Weblogs
Threat Feeds Activity
Threat Feeds Map
Useful InfoSec Links
Presentations & Papers
Research Papers
API
Tools
DShield Sensor
DNS Looking Glass
Honeypot (RPi/AWS)
InfoSec Glossary
Contact Us
Contact Us
About Us
Handlers
About Us
Slack Channel
Mastodon
Bluesky
X
Make the web a better place by
sharing the SANS Internet Storm Center
with others